Using Docker Registries

This topic describes how to configure Pivotal Cloud Foundry (PCF) to access Docker registries such as Docker Hub, by using either a root certificate authority (CA) certificate or by adding its IP address to a whitelist. It also explains how to configure PCF to access Docker registries through a proxy.

After configuration, BOSH propagates your CA certificate to all application containers in your deployment. You can then push and pull images from your Docker registries.

Use an IP Address Whitelist

If you choose not to provide a CA certificate, you must provide the IP address of your Docker registry.

Note: Using a whitelist skips SSL validation. If you want to enforce SSL validation, enter the IP address of the Docker registry in the No proxy field described below.

Navigate to the Ops Manager Installation Dashboard.

Click the Pivotal Application Service tile, and navigate to the Application Containers tab.

Select Allow SSH access to app containers to enable app containers to accept SSH connections. If you use a load balancer instead of HAProxy, you must open port 2222 on your load balancer to enable SSH traffic. To open an SSH connection to an app, a user must have Space Developer privileges for the space where the app is deployed. Operators can grant those privileges in Apps Manager or using the cf CLI.

For Private Docker Insecure Registry Whitelist, provide the hostname or IP address and port that point to your private Docker registry. For example, enter 198.51.100.1:80 or mydockerregistry.com:80. Enter multiple entries in a comma-delimited sequence. SSL validation is ignored for private Docker image registries secured with self-signed certificates at these locations.

Clean up disk-space once threshold is reached. If you choose this option, enter the amount of disk space limit the Cell must reach before disk cleanup initiates under Threshold of Disk-Used (MB).

Click Save.

Choose one of the following:

If you are configuring Pivotal Application Service (PAS) for the first time, return to your specific IaaS installation instructions (AWS, Azure, GCP, OpenStack, vSphere) to continue the installation process.

If you are modifying an existing PAS installation, return to the Ops Manager Installation Dashboard, click Review Pending Changes, and click Apply Changes.

After configuration, PAS allows Docker images to pass through the specified IP address without checking certificates.

Configure PCF to Access Proxies for Docker Registries

If you have proxies already set up for Docker registries, you should configure PCF to access your Docker registries through a proxy.

To configure PCF to access a Docker registry through a proxy, do the following: